Google Git
Sign in
go / website / c3387da4128b59debddf91ebc93b018ecffb8e28^! / .
commitc3387da4128b59debddf91ebc93b018ecffb8e28[log] [tgz]
authorHana (Hyang-Ah) Kim <hyangah@gmail.com>Thu Jun 01 17:02:50 2023 -0400
committerHyang-Ah Hana Kim <hyangah@gmail.com>Fri Jun 02 19:52:27 2023 +0000
tree5af6673ad35aac8dfe76be94fa83f1c164c3f4c2
parent415e97c3fb86a04fbac72d18560870f758d30845 [diff]
_content/security/vuln: fix errors in vscode editor settings

And rearrange the caveats so people know the analysis is done locally.

Change-Id: I15a5265fa6ac4828bf33fbea9002676c75d3ad7b
Reviewed-on: https://go-review.googlesource.com/c/website/+/499922
Run-TryBot: Hyang-Ah Hana Kim <hyangah@gmail.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Suzy Mueller <suzmue@golang.org>

diff --git a/_content/security/vuln/editor.md b/_content/security/vuln/editor.md
index 34d0807..7e713e1 100644
--- a/_content/security/vuln/editor.md
+++ b/_content/security/vuln/editor.md

@@ -27,7 +27,7 @@
 The [Go extension](https://marketplace.visualstudio.com/items?itemName=golang.go) offers the integration with gopls. The following settings are required to enable the vulnerability scanning features:
 
 ```
-"go.vulncheck": "Imports" // enable the imports-based analysis by default.
+"go.diagnostic.vulncheck": "Imports", // enable the imports-based analysis by default.
 "gopls": {
   "codelenses": {
     "run_govulncheck": true  // "Run govulncheck" code lens on go.mod file.
@@ -58,7 +58,7 @@
 
 ## Notes and Caveats
 
-- The import-based analysis uses the list of packages in the workspace modules, which may be different from what you see from `go.mod` files if `go.work` or module `replace`/`exclude` is used.
-- The govulncheck analysis result can become stale as you modify code or the Go vulnerability database is updated. In order to invalidate the analysis results manually, use the [`"Reset go.mod diagnostics"`] codelens shown on the top of the `go.mod` file. Otherwise, the result will be automatically invalidated after an hour.
-- These features currently don't report vulnerabilities in the standard libraries or tool chains. We are still investigating UX on where to surface the findings and how to help users handle the issues.
 - The extension does not scan private packages nor send any information on private modules. All the analysis is done by pulling a list of known vulnerable modules from the Go vulnerability database and then computing the intersection locally.
+- The import-based analysis uses the list of packages in the workspace modules, which may be different from what you see from `go.mod` files if `go.work` or module `replace`/`exclude` is used.
+- The govulncheck analysis result can become stale as you modify code or the Go vulnerability database is updated. In order to invalidate the analysis results manually, use the `"Reset go.mod diagnostics"` codelens shown on the top of the `go.mod` file. Otherwise, the result will be automatically invalidated after an hour.
+- These features currently don't report vulnerabilities in the standard libraries or tool chains. We are still investigating UX on where to surface the findings and how to help users handle the issues.